me/guix
Archived
1
0
Fork 0
Code Activity

ssh: Always authenticate the server [security fix].

Browse source 
Until now, users of 'open-ssh-session', including "guix deploy" and
"GUIX_DAEMON_SOCKET=ssh://…" (but not "guix offload"), would not
authenticate the SSH server they're talking to.

* guix/ssh.scm (open-ssh-session): Call 'authenticate-server'.
This commit is contained in:
Ludovic Courtès 2019-12-03 21:41:54 +01:00
parent 114dcb429a
commit f5c180180e
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
guix/ssh.scm
View file

@ -125,6 +125,17 @@ Throw an error on failure."
(match (connect! session) (match (connect! session)
('ok ('ok
;; Authenticate against ~/.ssh/known_hosts.
(match (authenticate-server session)
('ok #f)
(reason
(raise (condition
(&message
(message (format #f (G_ "failed to authenticate \
server at '~a': ~a")
(session-get session 'host)
reason)))))))
;; Use public key authentication, via the SSH agent if it's available. ;; Use public key authentication, via the SSH agent if it's available.
(match (userauth-public-key/auto! session) (match (userauth-public-key/auto! session)
('success ('success